The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:
I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:
user@fbsd:/data# memdump > mem.dump
memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000
user@fbsd:/data# strings mem.dump | grep passphrase
Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase
I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?
Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.